Stolen EHR Charts Sell for US$50 Each on Black Market
Robert Lowes Ref: http://www.medscape.com/viewarticle/824192?nlid=55843_2563&src=wnl_edit_medp_ca
Physicians can expect criminals to increasingly target their electronic health records (EHRs) for patient information that they can sell on the black market for $50 per chart, warns the FBI. The agency's Cyber Division issued a memo earlier this month forecasting what already has become apparent with every hacked hospital Web site and stolen physician laptop — criminals see a golden opportunity in healthcare information technology. It's an opportunity born of the mandatory shift to EHRs, laxer safeguards in healthcare compared with those in the retail and financial sectors, and "a higher financial pay-out for medical records in the black market," according to the FBI.
The proliferation of EHR systems coupled with more and more medical devices connected to the Internet, the FBI said, "is generating a rich new environment for cyber criminals to exploit."
The federal program to encourage "meaningful use" of EHRs with bonuses and penalties has contributed to this state of vulnerability, said Steven Waldren, MD, an information technology expert and senior strategist with the American Academy of Family Physicians (AAFP).
The meaningful-use program, Dr. Waldren told Medscape Medical News, has pushed some medical practices to implement EHRs even though they weren't exactly ready to. "You have more naïve organizations from a technical standpoint adopting these things," said Dr. Waldren. And that naïveté extends to protecting patient information.
The organizations most vulnerable to hackers and identity thieves, added Dr. Waldren, are small physician practices and small community hospitals with scarcely any money to make the investments in data security that large hospital systems do.
Physicians aren't helpless in the face of data thieves. The AAFP's Dr. Waldren recommends protective measures that are doable even in a solo practice:
•Keep your software up-to-date and install all security "patches" offered by the vendor. "They plug holes that hackers can exploit to get into a system," said Dr. Waldren.
•Install only those applications on office computers that are needed to operate the practice. Letting an employee install an "instant messenger" program on his or her computer is asking for hacker trouble.
•Likewise, restrict the kinds of Web sites that employees can visit on company computers. Some sleazy sites are engineered to let hackers enter the practice's system.
•Talk to your EHR and billing software vendors about encrypting data on laptops, smartphones, and other mobile devices.
•Don't forget to establish rules for physically securing mobile devices as well. A laptop sitting on the backseat of a car invites a break-in. Why not put it in the trunk?
•Also ask your software vendors about the best practices that they recommend for customers. What's their advice on operating a wireless network in the office, for example?
•If you have an EHR that runs on a client-server network in your office, consider switching to an online, cloud-based system. "Having the server in the office pushes security requirements to the end user," said Dr. Waldren. Because the remote server of a cloud-based EHR system stores patient data from multiple medical practices, it may appear to be a more tempting target for hackers, but a large vendor has more resources to protect those assets than a single medical practice tending an office server, he said.